External access via SSL
Most web browsers and devices require a secure connection over https. You can setup secure access to your Kubernetes cluster using an Kubernetes Ingress. Alternatively you can use Nginx or Apache.
If you do not need to provide external access you may skip this section.
Create certificates
To run a secure server you need a certificate. This certificate validates that your service can be trusted and shows up in the web browser when a user clicks on the lock icon. You can obtain free SSL certificates from LetEncrypt. These certificates are valid for 3 months and can be renewed. An easy way to create the certificates is via openssl and certbot.
sudo apt install openssl
sudo apt install certbot
You need a so called wildcard certificate so you can expose multiple services that are deployed in the kubernetes cluster, such as app.my_domain.com or mqtt.my_domain.com. You should replace my_domain.com with the actual domain name that you want to use.
To create the wildcard certificate:
sudo certbot certonly --manual --agree-tos -d '*.my_domain.com'
Answer the questions and wait for the instructions to deploy a text record. When you apply for a wildcard certificate you have to prove that you are the operator of the domain by placing a TXT record.
Please deploy a DNS TXT record under the name
_acme-challenge.my_domain.com with the following value:
Kkfd0s9shC9-eKpYVb601cO1_1OwVEyFsliHRUMSdchI
You can now configure your domain registration to include a new TXT record with name _acme-challenge.my_domain.com and value Kkfd0s9shC9-eKpYVb601cO1_1OwVEyFsliHRUMSdchI. Before continuing make sure that your domain is updates. This can take several minutes.
You can verify the deployment by entering the domain _acme-challenge.my_domain.com in the box on web site http://dnslookup.online/txt.html. If the domain is updated you can continue the certbot certification process. The certificates are installed in the directory /etc/letsencrypt/live/my_domain.com.
Deploy ingress
The certificate and private key generated by certbot are used to create a Kubernetes Secret called wildcard-tls. This secret is then used in the configuration of the ingress.
sudo cp /etc/letsencrypt/live/my_domain.com/fullchain.pem tls.crt
sudo cp /etc/letsencrypt/live/my_domain.com/privkey.pem tls.key
sudo kubectl create secret tls spacetime-tls --key="tls.key" --cert="tls.crt"
To configure the Ingress create a file 'ingress.yml' with the following content and replace the name my_domain.com with your actual domain. Make sure that the name of the secret matches the name of the secret that you just created. Make sure that the ports of the different services match their externally exposed ports.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: spacetime-tls
spec:
tls:
- hosts:
- modeler.my_domain.com
- portal.my_domain.com
- forms.my_domain.com
- server.my_domain.com
secretName: solidengineer
rules:
- host: portal.my_domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: portal
port:
number: 3000
- host: forms.my_domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: forms
port:
number: 3002
- host: modeler.my_domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: modeler
port:
number: 3005
- host: server.my_domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: server
port:
number: 8010
You can now install the ingress:
kubectl create -f ingress.yml
If you make changes to the configuration you can apply the changes:
kubectl apply -f ingress.yml
Update router
On your router add a rule that forwards traffic on port 443 to the IP address of the server where the Kubernetes cluster is deployed. Setting up the forwarding rule is different for each router. You should now be able to access the service from anywhere on the Internet by opening a web browser or using curl:
curl -v https://portal.my_domain.com